This is an old thread, but I can confirm that this is still an issue on
RHEL 7.2 + 4.2. This creates problems when there are roles associated
with groups, but group membership through GID is broken. I had migrated
all old NIS accounts into ipa. I then added the host enrollment role to
a particular group. Now, unless I add the users to the group explicitly,
they won't get the role, even if their gid is the same as the gid of the
group.

Advertising

The user GIDNumber just sets the default group for POSIX. If you do
groups on the user I'll bet it shows correctly.
For the purposes of IPA access control, as you've seen, the user must
have a memberOf for a given group, either directly or indirectly.
rob

Exactly, but the question is, shouldn't IPA add this membership
automatically? (Of course, only in case IPA has group with this GID.)

David

On Mon, Aug 24, 2015 at 5:01 AM, David Kupka <dku...@redhat.com
<mailto:dku...@redhat.com>> wrote:
On 21/08/15 15:21, bahan w wrote:
Hello !
I contact you because I notice something strange with IPA
environment.
I created a group :
ipa group-add g1 --desc="my first group"
Then I created a user with the GID of g1
GID1=`ipa group-show g1 | awk '/GID/ {printf("%s",$2)}'`
ipa user-add --first=u1 --last=u1 --homedir=/home/u1
--shell=/bin/bash
--gidnumber=${GID1} u1
Then when I perform ipa group-show g1 command, I got the
following result :
###
Group name: g1
Description: my first group
GID: <gid1>
###
Same for ipa user-show u1 :
###
User login: u1
First name: u1
Last name: u1
Home directory: /home/u1
Login shell: /bin/bash
Email address: u1@<MYDOMAIN>
UID: <uid1>
GID: <gid1>
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
###
These 2 commands does not see u1 as a member of g1.
When I try the command id u1, I can see the group :
###
id u1
uid=<uid1>(u1) gid=<gid1>(g1) groups=<gid1>(g1)
###
Is it the normal behaviour of these IPA commands ?
Best regards.
Bahan
Hello!
I'm not sure if this is intended and/or correct behavior or not.
Looking at /etc/passwd and /etc/group I see it behaves similarly in
a way.
You can have following entries in the aforementioned files
[/etc/group]
...
g1:x:<gid1>:
...
[/etc/passwd]
...
u1:x:<uid1>:<gid1>::/home/u1:/bin/bash
...
Looking in /etc/group you can't see user 'u1' is member of group
'g1' but tools like id, groups, getent shows this information.
On the other hand it would be useful to show these "implicit"
members in group-show output.
Could you please file a ticket
(https://fedorahosted.org/freeipa/newticket)?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project